IdPVault

IdPVault

Docker app from Selfhosters

Overview

Self-hosted backup, drift detection, and restore for identity providers (Authentik, Okta, and Auth0). Encrypted configuration snapshots on a schedule, a diff of every change, selective restore with dry-run preview, and Users and Access backup/restore on paid tiers. No telemetry, no phone-home; license keys verify offline. Free Community tier included (1 tenant). Requires a PostgreSQL database - install any PostgreSQL container from CA and point the Database URL below at it. The encryption master key generates itself on first boot in the Secrets path: back that folder up and never delete it, or existing snapshots become unreadable. The container runs as a non-root user (uid 10001). If it fails to start with permission errors, run: chown -R 10001:10001 /mnt/user/appdata/idpvault

IdPVault

CI License: BSL 1.1 Image Website

Self-hosted backup, drift detection, and restore for Authentik, Okta, and Auth0 tenants.

Point IdPVault at your identity providers and it takes scheduled, encrypted snapshots of every configuration object - apps, flows, policies, groups, mappings, and more. Browse snapshot history, diff any two points in time, get alerted on config drift, and restore objects when something breaks.

Features

  • Scheduled + on-demand encrypted backups (AES-256-GCM, per-tenant envelope keys)
  • Providers: Authentik, Okta, Auth0 (pluggable adapter interface)
  • Users & Access backup (opt-in): users, group memberships, and provenance-aware app assignments
  • Adaptive Okta rate limiting (auto-learns limits; configurable reserve headroom)
  • Snapshot-to-snapshot diff, drift detection, and a per-object change events feed
  • Restore engine: dry-run preview, dependency-ordered apply (Authentik), per-object restore reports
  • Clone / promote: restore a snapshot into another same-provider tenant to push a perfected app from preprod to prod
  • Multi-user: session login, admin / read-only roles, email invites, SMTP settings
  • Dashboard: coverage, unbacked-changes (live IdP event polling), storage stats
  • Snapshot object browser - inspect any object in any snapshot
  • Retention policies per tenant; audit log with viewer
  • Alerts on drift or failed backups: webhook (ntfy / Slack) + email
  • Prometheus metrics endpoint (set IDPVAULT_METRICS_TOKEN to enable)
  • Backups queue and run one at a time by default, safe for modest hosts (set IDPVAULT_BACKUP_WORKERS to run more in parallel); schedules run in your org timezone, DST-aware

Quick deploy (Docker Compose / Portainer stack)

See docker/compose.example.yaml. Single app image + Postgres, no other dependencies - and zero configuration: docker compose up -d is the whole install. On first boot the app generates its master encryption key inside the idpvault_secrets volume, fixes volume ownership, and drops to a non-root user. Back the key up right after first boot (docker cp idpvault:/secrets/master.key ./master.key.backup) - without it, encrypted snapshots are unrecoverable, and there is no escrow or phone-home. The app refuses to boot into either dangerous state (key missing with data present, or a wrong key against an existing database) rather than corrupt anything.

Named volumes are the default; to use host bind mounts instead, swap the volume names for host paths in the stack - the app handles ownership itself. Setting POSTGRES_PASSWORD in the stack environment is recommended (the DB is only reachable inside the stack's private network).

services:
  idpvault:
    image: ghcr.io/keltech-services/idpvault:latest
    container_name: idpvault
    restart: unless-stopped
    ports:
      - "8480:8080"
    environment:
      IDPVAULT_DATABASE_URL: postgresql+psycopg://idpvault:${POSTGRES_PASSWORD:-idpvault-internal}@idpvault-db:5432/idpvault
      IDPVAULT_DATA_DIR: /data
      IDPVAULT_MASTER_KEY_FILE: /secrets/master.key
    volumes:
      - idpvault_data:/data
      - idpvault_secrets:/secrets
    depends_on:
      idpvault-db:
        condition: service_healthy

  idpvault-db:
    image: postgres:16-alpine
    container_name: idpvault-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: idpvault
      POSTGRES_USER: idpvault
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-idpvault-internal}
    volumes:
      - idpvault_postgres:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U idpvault"]
      interval: 10s
      timeout: 5s
      retries: 5

volumes:
  idpvault_data:
  idpvault_secrets:
  idpvault_postgres:

Platform support (Linux, macOS, Windows)

IdPVault runs anywhere Docker runs. The image is published for linux/amd64 and linux/arm64 as a single tag, so docker compose up pulls the right build automatically - no per-platform compose files, the stack above works unchanged on every platform.

  • Linux servers and NAS boxes (Debian/Ubuntu/RHEL, Synology, QNAP, Unraid, TrueNAS, Proxmox): the primary target. Works with Docker Engine or Portainer. On Synology/QNAP, install Docker/Container Manager from the package center and paste the stack into Portainer or a compose project.
  • macOS (Docker Desktop, OrbStack, or Colima): works on both Intel and Apple Silicon - Apple Silicon gets the native arm64 image. Fine for evaluation and small setups; for always-on production use a server, since a sleeping laptop means missed backup schedules.
  • Windows (Docker Desktop with the WSL2 backend, the default on Windows 10/11): works out of the box. Keep the default named volumes; if you switch to bind mounts, put them on the Linux side of WSL2 (not a C:\ path) for correct permissions and much better performance.
  • ARM boards (Raspberry Pi 4/5 and other arm64 SBCs): supported via the arm64 image. 64-bit OS required; 2 GB+ RAM recommended.

Notes that apply everywhere: the app listens on port 8080 inside the container (remap the host side freely if 8480 is taken); data lives in the three named volumes, so docker compose down never loses anything; back up the idpvault_secrets volume (master key) and idpvault_postgres with your host backup tool; put a reverse proxy with HTTPS in front for anything beyond localhost (see the Deployment doc in-app or on the wiki).

Support & contact

Bugs, feature requests, and questions: open a GitHub issue. Security reports: privately only, per SECURITY.md.

Repo layout

  • backend/ - FastAPI application
  • frontend/ - web UI (single-file SPA) + in-app docs
  • docker/ - Dockerfile, example compose stack, env template
  • docs/ - architecture and operations notes
  • .github/workflows/ - CI: tests gate the image build; releases auto-publish

Status

v1.0 shipped. See CHANGELOG.md for the full version history and docs/ROADMAP.md for shipped versions and what's next.

What a backup contains - and what it doesn't

IdPVault backs up your IdP's configuration via its API: applications, providers, flows, stages, policies, groups, property mappings, and the rest of the objects listed per provider. Snapshots are encrypted, versioned, and diffable, and support selective config restore.

This is not a full disaster-recovery backup. Two things to understand before you rely on it:

  1. Secrets are redacted by the IdP, not by us. Identity providers deliberately never return OAuth2 client secrets, certificate private keys, SMTP passwords, or signing keys through their export/read APIs. A restored object may therefore come back with its secret missing - you will need to re-enter or rotate those secrets after a restore. This is true of every backup product in this space, for Okta and Auth0 as much as Authentik.

  2. Self-hosted IdPs have state outside the API. For self-hosted Authentik, a true bare-metal recovery additionally needs, backed up by your own infrastructure tooling:

    • a pg_dump of the Authentik Postgres database (the actual source of truth),
    • its bind mounts (/data, /certs, /custom-templates, /media),
    • the compose file / environment, especially AUTHENTIK_SECRET_KEY - without the same secret key, a restored database cannot decrypt the secrets it holds.

    A planned "full DR" mode (see docs/ROADMAP.md) will optionally capture an encrypted pg_dump alongside config snapshots for self-hosted tenants.

Use IdPVault for what it is: configuration versioning, drift detection, and config-level restore. Pair it with host-level backups of your self-hosted IdP for full disaster recovery.

Licensing & tiers

IdPVault is source-available under the Business Source License 1.1 (see LICENSE): you can run it in production for your own organization; offering it to third parties as a hosted/managed service requires a commercial agreement. The code converts to Apache 2.0 on the Change Date.

The app itself is open-core:

  • Community (free, no key needed): 1 tenant, full config backup, drift detection & events, alerts, and config restore.
  • Business: 2 tenants (with tenant add-ons available), unlimited users, and Users & Access backup & restore (users, group memberships, app assignments).
  • MSP: everything in Business plus client orgs, org-scoped users, and renewal tracking. Tenant add-ons whenever you need them.

Flat, published pricing at https://idpvault.com.

License keys are Ed25519-signed tokens verified entirely offline against a public key embedded in the app - IdPVault never phones home and sends no telemetry. Install/manage keys in Settings → License. If a license expires (after a 3-day grace window) or is removed, nothing is deleted: your oldest tenant stays fully operational, other tenants keep all their data and snapshots but pause backup/restore, and identity features pause - everything resumes as soon as a valid key is installed. Renewal keys can be installed early; their term extends from the previous expiry.

Install IdPVault on Unraid in a few clicks.

Find IdPVault in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for IdPVault Review the template variables and paths Click Install

Categories

Related apps

Explore more like this

Explore all

Details

Repository
ghcr.io/keltech-services/idpvault:latest
Last Updated2026-07-17
First Seen2026-07-16

Runtime arguments

Web UI
http://[IP]:[PORT:8080]
Network
bridge
Shell
sh
Privileged
false

Template configuration

Web UI PortPorttcp

Web interface port

Target
8080
Default
8480
Value
8480
Snapshot DataPathrw

Encrypted configuration snapshots

Target
/data
Default
/mnt/user/appdata/idpvault/data
Value
/mnt/user/appdata/idpvault/data
SecretsPathrw

Holds the auto-generated encryption master key. BACK THIS FOLDER UP and never delete it - snapshots cannot be decrypted without it.

Target
/secrets
Default
/mnt/user/appdata/idpvault/secrets
Value
/mnt/user/appdata/idpvault/secrets
Database URLVariable

PostgreSQL connection string, e.g. postgresql+psycopg://idpvault:PASSWORD@SERVER-IP:5432/idpvault

Target
IDPVAULT_DATABASE_URL
Data DirVariable

Internal data path - do not change

Target
IDPVAULT_DATA_DIR
Default
/data
Value
/data
Master Key FileVariable

Internal key path - do not change

Target
IDPVAULT_MASTER_KEY_FILE
Default
/secrets/master.key
Value
/secrets/master.key